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DETAILED ACTION 
Specification 

1 . The title of the invention is not descriptive. A new title is required that is clearly 
indicative of the invention to which the claims are directed. The following title is 
suggested: 'Secure access to a unified logon-enabled data store using credentials'. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth In section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Stallings Cryptography and Network Securitv 2"^ Edition (hereinafter Stallings) in view of 
Lai et al. "User Authentication and Authorization in the Java Platform" (hereinafter Lai). 
The user authentication method, as disclosed in the applicant's claims, reads into basic 
trusted third part authentication methodologies using encrypted credentials or 
certificates for user verification, which is provided by the third party. Kerberos, an 
authentication service developed as part of the Athena project at MIT, is one of the 
better-known and implemented services that follow this authentication format. The 
features of Kerberos are more comprehensive then the invention claimed by the 
applicant, but, in spirit, the applicant's invention follows the same procedure to 
authenticate a user to a service. Stallings predicates the disclosure of the Kerberos 
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authentication service with a description of a simple authentication procedure to provide 
an overview of the general structure of Kerberos. This simple authentication dialogue 
substantially covers the claimed invention. 

4. As per claim 1 , Stallings discloses a simple authentication dialogue that uses a 
central authentication server to log a client onto a network of distributed services (see 
Stallings, page 326, 'A Simple Authentication Dialogue'). This simple authentication 
dialogue uses a centralized server to securely identify users by obtaining information 
from the user and then sending a ticket back to the user, which comprises of an 
encrypted message containing the identification of the client, the network address of the 
client, and the identifier of the service. This generated ticket, in addition to an identifier 
of the client, is sent to the service, whereupon, the service decrypts the ticket and 
compares the identification with the parsed identification. Since only the authentication 
server and the service share the private encrypted key, only the authentication server 
could have encrypted the ticket when issued to the client. Hence, if the parsed id 
matches the id sent by the client, then the request is accepted (see Stallings, page 326, 
steps 1 , 2, and 3). Stallings is silent on the matter of supplying both a username and a 
computer identifier to authenticate a parsed username and parsed computer identifier. 
However, at the time the applicant's invention was made, because of the increasingly 
distributed nature of computing services, it became evident in the art that user 
identification needed to be based on two parts: a unique name for the user and an 
address (or computer id) of the user's terminal. Lai discloses the need for this type of 
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access identification in a networked computer system since users have a plurality of 
access points to a single service (see Lai, Section 5, 'Authorization'). Furthermore, in a 
secure computing system, where a user has been authorized and the physical terminals 
from where the user accesses the services are deemed secure, authentication of a user 
session only needs to verify that a server request from a user specifies who they say 
they are and where they are accessing the service. Therefore, it would be obvious to 
one of ordinary skill in the art at the time the invention was made, for the identity of a 
user during a session to comprise a username and a computer identification as taught 
in Lai in the simple authentication dialogue as taught by Stallings. Motivation for such 
an implementation would enable the invention to prevent identity duplicity by 
ascertaining a user by a unique name and a computer identifier. As such, the invention 
covered by Stallings comprises the following steps of: 

a) receiving an authentication key, a user name, and a computer identifier; 

b) parsing the authentication key to obtain a parsed user name and computer 
identifier; 

c) validating the received user name and computer identifier using the parsed 
user name and computer identifier (see Stallings, page 326, steps 1-3 as modified by 
Lai, Section 5, 'Authorization'). 

The aforementioned covers claim 1 . 

5. As per claim 2, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 1 rejection under 35 U.S.C. 
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103(a). In addition, the validating step connprises determining whether the received 
user name and computer identifier match the parsed user name and computer identifier 
(see Stallings, page 326, step 3; final paragraph). 

6. As per claim 3, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 2 rejection under 35 U.S.C. 
103(a). In addition, a match indicates that the received user name and computer 
identifier are valid (see Stallings, page 326, step 3; constitution of Ticket'; final 
paragraph). 

7. As per claim 4, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 1 rejection under 35 U.S.C. 
103(a). In addition, the method further comprises, before parsing, decrypting the 
authentication key (see Stallings, page 326, final paragraph). 

8. As per claims 5 and 6, Stallings covers a method of providing security for a 
computer connected to a data store as outlined above in the claim 1 rejection under 35 
U.S.C. 103(a). In this method, as disclosed above, the authentication server and the 
service share a secret key. An authentication key encrypted with the secret key could 
only be encrypted by the authentication server, and hence, the service accepts the user 
once the authentication key is decrypted and the parsed username and parsed 
computer identification matches the username and computer identification sent from the 
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user (see Stallings, page 326, third paragraph as modified by Lai, Section 5, 
'Authorization'). Stallings is silent on the matter of obtaining a server user identifier and 
password to authenticate the user into the service. However, the step of providing a 
server user identifier and corresponding password is an obvious feature. Services 
typically provide different types of services based on the user of the service. As an 
example, Lai discloses the implementation of roles in a JAAS authentication 
architecture. Role assignment affords certain privileges to certain users (see Lai, 
Section 5.1 , Figures 5, 6, and 7), and by assigning a service user identifier and 
corresponding password, the service can match a role with the user. Furthermore, by 
separating the server user identification from the authentication procedure to establish 
the unified login-id of the user, the two portions become decoupled, which can allow for 
easier integration of the authentication server with the services. Therefore, it would be 
obvious to one of ordinary skill in the art at the time the invention was made to include a 
server user identifier and the corresponding server user password in the authentication 
key then use this pair to establish a session at the service once the user's username 
and computer id has been verified to be the same as the parsed username and parsed 
computer id. Motivation for such an implementation would provide a simple and 
modular means of allocating a type of service to the user once the user has been 
verified. The aforementioned covers claims 5 and 6. 

9. As per claim 7, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 6 rejection under 35 U.S.C. 



Application/Control Number: 09/513,065 Page 7 

Art Unit: 2132 

103(a). In addition, multiple users share one server user identifier and server password 
(see Lai, Section 5.1, Figures 6 and 7). 

10. As per claim 8, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 1 rejection under 35 U.S.C. 
103(a). In addition, the method further comprises generating the authentication key 
(see Stallings, page 326, third paragraph; step 2). 

11. As per claim 9, it is a method claim corresponding to claims 6 and 8 and it does 
not teach or define above the information claimed in claims 6 and 8. Therefore, claim 9 
is rejected under Stallings in view of Lai for the same reasons set forth in the rejections 
of claims 6 and 8. 

12. As per claim 10, Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 8 rejection under 35 U.S.C. 
103(a). In addition, the method further comprises encrypting the authentication key 
(see Stallings, page 326, third paragraph; step 2). 

1 3. As per claim 1 1 , Stallings covers a method of providing security for a computer 
connected to a data store as outlined above in the claim 8 rejection under 35 U.S.C. 
103(a). In addition, the method further comprises forwarding the authentication key to a 
user (see Stallings, page 326, third paragraph; step 2). 
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14. As per claim 12, it is a method claim corresponding to claims 1-1 1 and it does not 
teach or define above the information claimed in claims 1-11. Therefore, claim 12 is 
rejected under Stallings in view of Lai for the same reasons set forth in the rejections of 
claims 1-11. 

1 5. As per claims 1 3-24, they are apparatus claims corresponding to claims 1 -12 and 
they do not teach or define above the information claimed in claims 1-12. Therefore, 
claims 13-24 are rejected under Stallings in view of Lai for the same reasons set forth in 
the rejections of claims 1-12. 

1 6. As per claims 25-36, they are article of manufacture claims corresponding to 
claims 1-12 and they do not teach or define above the information claimed in claims 1- 
12. Therefore, claims 36-25 are rejected under Stallings in view of Lai for the same 
reasons set forth in the rejections of claims 1-12. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Kung U.S. Patent No. 5,241,594 discloses a one-time logon means and methods 
for distributed computing systems. 
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BlakleyJII et al. U.S. Patent No. 5,604,490 discloses a method and system for 
providing a user access to multiple secured subsystems. 

Sadovsky U.S. Patent No. 5,689,638 discloses a method for providing access to 
independent network resources by establishing connection using an application 
programming interface function call without prompting the user for authentication data. 

Wu et al. U.S. Patent No. 5,774,551 discloses a pluggable account management 
interface with unified login and logout and multiple user authentication services. 

Fortinsky U.S. Patent No. 5,815,574 discloses a provision of secure access to 
external resources from a distributed computing environment. 

Cohen et al. U.S. Patent No. 6,178,511 discloses a coordinating user target 
logons in a single sign-on environment. 

Shannon U.S. Patent No. 6,233,61 8 discloses an method for access control of 
networked data. 

Fang et al. U.S. Patent No. 6,243,816 discloses a single sign-on mechanism 
personal key manager. 

Jin et al. U.S. Patent No. 6,31 1 ,275 discloses a method for providing single step 
log-on access to a differentiated computer network. 

Cole et al. U.S. Patent No. 6,359,71 1 discloses a system and method for 
supporting a worker in a distributed work environment. 

Stoltz et al. U.S. Patent No. 6,615,264 discloses a method and apparatus for 
remotely administered authentication and access control. 

Bryant "Designing an Authentication System: a Dialogue in Four Scenes". 
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Steiner et al. 'Kerberos : An Authentication Service for Open Network Systems'. 
Kohl et al. The Evolution of the Kerberos Authentication Service'. 
Samar et al. 'Making Login Services Independent of Authentication 
Technologies'. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jung W Kim whose telephone number is (703) 305- 
8289. The examiner can normally be reached on M-F 9:00 A.M. to 5:00 P.M.. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (703) 305-1830. The fax phone number 
for the organization where this application or proceeding is assigned is (703) 872-9306. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whosejglephone number is (703) 305- 
3900. 
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